Open Redirect in ionicabizau/parse-url

Valid

Reported on

Jul 10th 2021

✍️ Description

parse-url improperly handles the user input such as https:/\ and interprets it as a relative path. Backslashes after the protocol are accepted by browsers and treated as normal slashes, but parse-url reads them as the relative path, which could lead to SSRF, open redirects, or other unintended behavior.

🕵️‍♂️ Proof of Concept

// PoC.js
const parseUrl = require("parse-url")

console.log(parseUrl("http:/\ionicabizau.net/blog"))

As I tested it on runkit where you can see it in action where you will see the current output:

protocol: "ssh"
port: null
resource: "http"
user: ""
pathname: "/ionicabizau.net/blog"
hash: ""
search: ""
href: "http:/ionicabizau.net/blog"

As you can see it interpreted the whole URL after \ as a relative path

💥 Impact

based on the application, usage bypasses for SSRF, open redirection, and other unintended behavior

Similar CVE reports

CVE-2021-27515, CVE-2021-27516, huntr.dev report

We have contacted a member of the ionicabizau/parse-url team and are waiting to hear back 2 years ago
x3rz modified the report
2 years ago
x3rz
2 years ago

Researcher

any updates?

Ionică Bizău (Johnny B.) validated this vulnerability 2 years ago
x3rz has been awarded the disclosure bounty
The fix bounty is now up for grabs
Ionică
2 years ago

Maintainer

A fix for this is very welcome!

x3rz
2 years ago

Researcher

Sure i will work on them also I have one more disclosure https://www.huntr.dev/bounties/1625925112877-IonicaBizau/git-up/

Ionică Bizău (Johnny B.) marked this as fixed in 7.0.0 with commit 21c72a a year ago
Ionică Bizău (Johnny B.) has been awarded the fix bounty
This vulnerability will not receive a CVE
index.js#L35-L49 has been validated
to join this conversation